Policy Insights: New SEC Rules

The Securities and Exchange Commission has adopted NEW rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.

Policy Insights:

According to Lenny Zeltser, a SANS Institute faculty fellow specialized in information security and cybersecurity practices for over 20 years, and the current CISO of cyber firm Axonius:

“The CISO community was excited to see that the SEC considered requiring boards of directors to disclose the extent of their cybersecurity expertise. This would have motivated boards to develop an understanding of cybersecurity.

The final rule doesn’t have this requirement. It’s natural to feel disappointed because it feels like a loss of what we could have had. Thus some proclaim that “the SEC basically let the boardroom largely slip off the hook for cybersecurity governance accountability. However, since that proposed requirement was never enacted, we didn’t actually experience a loss. We’re just disappointed that our thought experiment didn’t turn into reality.

Fortunately, in reality, we gained several cybersecurity-reinforcing requirements included in the final SEC rule. It requires public companies to document “the board’s oversight of risks from cybersecurity threats.” Such disclosures will allow investors to understand the extent of the board’s involvement in cybersecurity. This creates a similar incentive to pay attention to cybersecurity that we hoped to get in the proposed rule. Moreover, the final rule includes the need to promptly report material cybersecurity incidents, increasing the incentive to minimize the occurrence of such incidents. Moreover, the rule requires companies to disclose their cybersecurity risk management process, which offers another lever for cybersecurity leaders.

It’s natural to review the final rule from the perspective of what could have been and not notice the benefits it offers. Cybersecurity professionals in public companies are better off today than before the final rule’s passing, and that’s worth celebrating.

I’m seeing some cybersecurity professionals saying that the new rule requires public companies to disclose material security incidents within 4 days. This isn’t quite right. The rule says that the company needs to file the incident-disclosing form ‘within four business days of determining an incident was material,’ a determination the company must make “without unreasonable delay.

The reference to ‘business’ days gives companies some time. Moreover, the timer starts not after the company detected the incident, but after it determined that the incident was material. This sounds reasonable to me. An important note regarding this, though: The determination of what constitutes a material security incident and what’s considered undue delay should be made by legal professionals, not cybersecurity leaders.”

Ani Chaudhuri, CEO, Dasera said:

“The new rules implemented by the SEC are a notable stride towards transparency in a world where cybersecurity incidents are increasingly common. With digital assets becoming increasingly critical to businesses, timely and comprehensive disclosure of such incidents to shareholders is pivotal.

Material incidents are those that have a significant impact on a company’s financials, operations, or reputation – elements which shareholders would indeed consider crucial in making an investment decision. The same principles apply whether we’re talking about a physical asset like a factory, or digital data. Cybersecurity is no longer a domain exclusive to IT professionals; it’s a concern for everyone.

While the SEC’s approach is admirable, it does bring a set of new challenges to the table. The reporting timeline may indeed seem tight, especially for complex incidents where an understanding of the scope and impact may take longer than four days. Given the technical and complex nature of cyber incidents, it’s important to strike a balance between providing timely information and ensuring that information is accurate and complete.

The additional 180 days granted to smaller companies is also a thoughtful concession, acknowledging that not all entities have the same resources to manage and report cyber incidents.

However, it is the clause about the potential postponement of disclosure in instances where it might pose a significant risk to national security or public safety that can be more contentious. While the intent is certainly valid, the execution must be handled carefully. Defining ‘significant risk’ might be a potential gray area, and companies should not misuse it as a loophole to delay disclosure.

Furthermore, while the rules require companies to provide a concise description of the incident, its impact, and the data compromised, they do not require companies to disclose specifics of their incident response plans or details about potential vulnerabilities. In this sense, the rules are a missed opportunity to push companies towards better preparedness and proactive planning. The more information available, the more we can learn and improve our defenses.

Lastly, let’s not forget that this rule is reactive. Disclosing an incident after it has happened does not prevent the incident in the first place. The real need of the hour is to invest more resources in proactive measures that would make our systems more resilient and reduce the chances of such incidents happening in the first place.

The SEC’s new rules are a positive step towards more transparency in handling cybersecurity incidents. Still, valid concerns and potential challenges must be addressed in implementing these rules. As we continue to rely more heavily on digital assets, the onus is on us to evolve our approach towards cybersecurity, making it a key part of strategic decision-making.”